stackoom
  简体   繁体   中英

Access to Azure KeyVault from an app in another Azure ActiveDirectory tenant

 原文  2017-03-17 00:09:51       azure/ azure-active-directory/ azure-keyvault

Question

I have an Azure subscription in which I have all the resources for my web application. I have created another ActiveDirectory tenant, defined a AD Application in the tenant, and set it up as the authentication provider for my AppService. Now, I want to create a KeyVault resource in my subscription and give my AD Application access to the KeyVault.

The Azure KeyVault documentation says to run the following PS command: 

Set-AzureRmKeyVaultAccessPolicy -VaultName <KVName> -ObjectId <ClientId> -PermissionsToKeys get

However, this returns the following error: 

Cannot find the Active Directory object '<ClientId>' in tenant '<MyDefaultTenantId>'

The issue seems to be that my KV is not in the same AD tenant as my AD application, but Set-AzureRmKeyVaultAccessPolicy command does not seem to have a TenatId argument.

Is there any way I can achieve what I want? Do I have to move my AD application to my default AD tenant?

3 answers

solution1
 4  2017-03-17 00:43:40

不可以。密钥保险库只接受来自其所在租户的身份。

solution2
 1  2017-03-19 00:20:06

You can of course make your application multi-tenant , consent the application into the Azure AD directory in the subscription containing the Key vault and then add the application as a principal with access permissions to Key vault in the portal.

Your application can then access the Key vault on behalf of users from that directory or on its own behalf using client credentials.

solution3
 0  2018-05-17 18:58:24

I had the same situation and requirement (never going to get back these 8 hours :-) but you can easily make this consent by calling a specific URL and continue granting the application identity the necessary permissions in the key vault

in short... 

GET https://login.microsoftonline.com/{tenant}/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions

Always run in private browser window to not get all tangled up in the different identities during your browser day life time.

Read more here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to share a key from one azure tenant(account) keyvault under one subscription to another azure tenant(account) keyvault in another subscription How to access resources in one tenant from another tenant in Azure? Access Azure KeyVault from Xamarin Form Troubleshooting Keyvault access from Azure VM Read Azure KeyVault Secret from Function App Terraform grant azure function app with msi access to azure keyvault Azure AD: How assign App roles for users from another tenant Create an Azure ActiveDirectory tenant for Azure Germany Cloud (MCD) Azure Keyvault to access resources from different azure subscriptions Azure KeyVault: SPN KeyVault Access Denied
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM